Critical SUSE Tomcat 11 security update patches CVE-2025-48989, a high-severity HTTP/2 DoS vulnerability (CVSS 8.7). Learn the risks, affected products, and immediate patch instructions for openSUSE Leap & SLES to prevent server instability and denial-of-service attacks.
A newly disclosed vulnerability, tracked as CVE-2025-48989, poses a significant threat to the stability of web servers running Apache Tomcat 11.
This critical security flaw, dubbed "MadeYouReset," enables a remote attacker to trigger a denial-of-service (DoS) condition by exploiting the HTTP/2 protocol's stream reset mechanism. Major enterprise Linux distributor SUSE has rated this update as "important" and released immediate patches for its affected products, including SUSE Linux Enterprise Server (SLES) and openSUSE Leap.
This comprehensive analysis will detail the vulnerability's technical impact, its CVSS severity scores, the complete list of affected SUSE products, and the precise commands required to secure your systems.
For DevOps engineers, system administrators, and IT security professionals, understanding and applying this patch is not just recommended—it's essential for maintaining server integrity and mitigating cyber risk.
Understanding the CVE-2025-48989 Vulnerability and Its Impact
What is the core of the "MadeYouReset" vulnerability? In essence, CVE-2025-48989 is a weakness within the Apache Tomcat 11 implementation of the HTTP/2 protocol.
A malicious client can deliberately send a sequence of crafted stream resets, overwhelming the server's resources and causing a significant degradation in performance or a complete service outage. This type of attack does not typically lead to data exfiltration but severely impacts application availability, which can result in substantial financial and reputational damage.
The severity of this flaw is quantified by its Common Vulnerability Scoring System (CVSS) ratings. SUSE scores it at a formidable 8.7 (CVSS:4.0), while the National Vulnerability Database (NVD) and SUSE's CVSS:3.1 assessment both rate it at 7.5 (High). The key vector is network-based, requires no user interaction or privileges, and ultimately leads to high availability impacts, making it a prime candidate for exploitation in the wild.
Affected Products and Software Packages
The following SUSE Linux distributions and modules are vulnerable and require immediate attention. If you are managing servers based on any of these versions, you are at risk:
openSUSE Leap 15.6
SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server 15 SP7
SUSE Linux Enterprise Server for SAP Applications 15 SP6
SUSE Linux Enterprise Server for SAP Applications 15 SP7
Web and Scripting Module 15-SP6
Web and Scripting Module 15-SP7
The update encompasses a suite of Tomcat 11 packages, including the main tomcat11 server, admin webapps, API libraries (like servlet-6.1-api and jsp-4.0-api), and documentation modules. A full package list is provided in the patch instructions section below.
Immediate Patch Instructions and Mitigation Strategies
To secure your environment against potential DoS attacks leveraging CVE-2025-48989, you must apply the official SUSE patch immediately. The recommended method is to use SUSE's standard package management tools, which ensure all dependencies are correctly resolved.
How do you apply the Tomcat 11 security patch? Execute the following commands in your terminal based on your specific operating system:
For Web and Scripting Module 15-SP7:
sudo zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP7-2025-2992=1For openSUSE Leap 15.6:
sudo zypper in -t patch SUSE-2025-2992=1 openSUSE-SLE-15.6-2025-2992=1For Web and Scripting Module 15-SP6:
sudo zypper in -t patch SUSE-SLE-Module-Web-Scripting-15-SP6-2025-2992=1
For those using automated patch management systems like YaST online_update, the patch should appear in your scheduled updates. We strongly advise testing the update in a staging environment before deploying it to production to ensure compatibility with your specific Java web applications.
Beyond the CVE: Additional Fixes in Tomcat 11.0.10
This security release also bundles Tomcat version 11.0.10, which includes numerous stability and performance improvements that enhance the overall quality of your Java application server. Key fixes include:
Coyote (HTTP Connector): Resolution of a keep-alive timeout bug for HTTP/1.1 async requests and a potential integer overflow in HPACK decoding.
Cluster Management: New
enableStatisticsconfiguration attribute for the DeltaManager.
WebSocket Client: Improved extension handling to align with server-side behavior.
Web Applications: Dedicated favicon files for the Manager and Host Manager apps.
Internationalization: Improvements to French and Japanese translations.
These updates demonstrate SUSE and the Apache Tomcat project's commitment to delivering not only secure but also robust and enterprise-grade software.
Conclusion: Prioritize This Update to Mitigate Cyber Risk
The CVE-2025-48989 vulnerability represents a clear and present danger to the availability of web services running on unpatched Tomcat 11 instances on SUSE platforms.
Given its high CVSS score and the ease with which it can be exploited remotely, this patch should be classified as a high-priority action item for any relevant IT team.
Proactive security hygiene, including the timely application of critical patches, is the most effective defense against evolving cyber threats.
By updating to Tomcat 11.0.10, you are not only closing a serious security gap but also investing in the enhanced stability and performance of your application infrastructure.
Take action now. Review your server inventory, identify any affected systems, and deploy the recommended patch to protect your network from this HTTP/2 denial-of-service vulnerability.
Frequently Asked Questions (FAQ)
Q1: What is a Denial-of-Service (DoS) attack?
A: A DoS attack is a cyber-attack where the perpetrator seeks to make a machine or network resource unavailable to its intended users by temporarily or indefinitely disrupting services of a host connected to a network.
Q2: I'm not using HTTP/2 on my Tomcat server. Am I still vulnerable?
A: No. The CVE-2025-48989 vulnerability is specific to the HTTP/2 protocol implementation. If you have not enabled HTTP/2 in your Tomcat connector configuration, your server is not susceptible to this specific flaw. However, applying the patch is still recommended for the other included fixes.
Q3: What is the difference between CVSS 7.5 and 8.7 scores for this CVE?
A: The scores come from different versions of the CVSS standard. CVSS v3.1 is the previous standard and scores it 7.5 (High). The newer, more granular CVSS v4.0 standard, which SUSE also provided, scores it 8.7 (High). Both indicate a high-severity vulnerability that requires urgent attention.
Q4: Where can I find more technical details about this CVE?
A: You can reference the official sources:
Q5: Are other operating systems like Ubuntu or RHEL affected?
A: The vulnerability is in Apache Tomcat itself. While this announcement covers SUSE's distribution of it, other vendors who package Tomcat 11 will likely issue their own advisories and patches. You should check with your specific OS vendor.
Nenhum comentário:
Postar um comentário